Infection Chain

Today, as I was doing my usual malvertising runs, I was redirected to RIG exploit kit via a decoy site often used by the HookAds campaign.

Below is an image of some of the malvertising traffic being filtered in Wireshark:

The website that initiated this malvertising traffic and the decoy site are being hidden.

The HookAds decoy sites are designed to redirect users to a RIG exploit kit landing page. Other campaigns that utilize exploit kits (pseudo-Darkleech and EITest) have either disappeared altogether or they have drastically slowed down. However, the HookAds campaign is still rolling along.

This malvertising chain was quite long so I won’t be including every single redirect. Additionally, trying to piece together a malvertising redirection chain can be confusing and time consuming, even for somebody with experience.

I am also seeing traffic to a RoughTed domain (arrassley.info at 34.193.201.92) right before the host is redirected to the decoy site. However, it doesn’t appear that the RoughTed campaign was responsible for the redirection to the HookAds decoy site.

The referer for the HookAds decoy site was from clicksgear.com:

The GET request for clicksgear.com returns a 302 Moved Temporarily that points to the decoy site

The GET request for the decoy site, located at www[.]decoysite[.]com/?adsterra_us, was initiated via a 302 redirect from clicksgear.com. The decoy page contains the following script for /popunder.php:

The GET request for popunder.php returns the following script:

The function definition is called to write an iframe to a new DOM object containing: the PopUnderURL, statically-defined dimensions for the injected iframe, and the location of the resource at “heydrid[.]info/banners/uaps”.

heydrid[.]info/banners/uaps returns RIG’s pre-landing page:

The NormalURL contains the URL for the RIG pre-landing page.

File System

The payload is dropped in %Temp%:

The payload was then copied to %AppData% as Deviprov.exe:

Payload is copied to a folder called “efsshell”

Processes:

The bot checks-in with the CnC server at 144.168.45.110/images/[removed]/.avi. We then see the GET request for the Tor client being hosted at 144.168.45.110/tor/voip4.rar.

When the Tor client is retrieved from 144.168.45.110 we see the bot create a registry entry in HKCU\Software\AppDataLow\Software\Microsoft\ {guid}:

This key contains the path to the client (which is dropped in the %Temp% folder) with a filename using the pattern [A-F0-9]{4}.bin. In my infection chain the file was called E5F1.bin.

Persistence:

As I was browsing the web I also noticed the creation of extension-less text files in a folder located at C:\Users\ {Username} \AppData\Roaming\Microsoft\ {random}: